From 21ec0f02c4ab2646b59c969f728d9549615e8fb8 Mon Sep 17 00:00:00 2001
From: StanGirard <stanislasg@padok.fr>
Date: Fri, 5 Aug 2022 23:44:05 +0200
Subject: [PATCH] =?UTF-8?q?fix:=20=F0=9F=90=9B=20s3=20zone?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md             |  2 ++
 VERSION               |  2 +-
 internal/aws/s3/s3.go | 25 +++++++++++++++++++++++--
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index d0887f6..931c8dc 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,8 @@ Flags:
 
 ### AWS
 
+- AWS_S3_001  S3 Encryption
+- AWS_S3_002  S3 One Zone Only
 - AWS_VOL_001 EC2 Volumes Encryption
 - AWS_RDS_001 RDS Encryption
 - AWS_RDS_002 RDS Backup
diff --git a/VERSION b/VERSION
index def9a01..a1e1395 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.1.5
\ No newline at end of file
+0.1.7
\ No newline at end of file
diff --git a/internal/aws/s3/s3.go b/internal/aws/s3/s3.go
index 3e8f391..8bed724 100644
--- a/internal/aws/s3/s3.go
+++ b/internal/aws/s3/s3.go
@@ -34,7 +34,6 @@ func checkIfEncryptionEnabled(s *session.Session, buckets []*s3.Bucket, c *[]typ
 	svc := s3.New(s)
 	for _, bucket := range buckets {
 		if !CheckS3Location(s, *bucket.Name, *s.Config.Region) {
-			fmt.Println("S3 encryption is not enabled on " + *bucket.Name)
 			continue
 		}
 		params := &s3.GetBucketEncryptionInput{
@@ -58,6 +57,27 @@ func checkIfEncryptionEnabled(s *session.Session, buckets []*s3.Bucket, c *[]typ
 	*c = append(*c, check)
 }
 
+func CheckIfBucketInOneZone(s *session.Session, buckets []*s3.Bucket, c *[]types.Check) {
+	var check types.Check
+	check.Name = "S3 Bucket in one zone"
+	check.Id = "AWS_S3_002"
+	check.Description = "Check if S3 buckets are in one zone"
+	check.Status = "OK"
+	for _, bucket := range buckets {
+		if !CheckS3Location(s, *bucket.Name, *s.Config.Region) {
+			check.Status = "FAIL"
+			status := "FAIL"
+			Message := "S3 bucket " + *bucket.Name + " is not in the same zone as the account"
+			check.Results = append(check.Results, types.Result{Status: status, Message: Message})
+		} else {
+			status := "OK"
+			Message := "S3 bucket " + *bucket.Name + " is in the same zone as the account"
+			check.Results = append(check.Results, types.Result{Status: status, Message: Message})
+		}
+	}
+	*c = append(*c, check)
+}
+
 func CheckS3Location(s *session.Session, bucket, region string) bool {
 	logger.Debug("Getting S3 location")
 	svc := s3.New(s)
@@ -66,7 +86,7 @@ func CheckS3Location(s *session.Session, bucket, region string) bool {
 		Bucket: aws.String(bucket),
 	}
 	resp, err := svc.GetBucketLocation(params)
-	if resp.LocationConstraint != nil && err != nil {
+	if *resp.LocationConstraint != "" && err == nil {
 		if *resp.LocationConstraint == region {
 			return true
 		} else {
@@ -83,5 +103,6 @@ func RunS3Test(s *session.Session) []types.Check {
 	logger.Debug("Starting S3 tests")
 	buckets := GetListS3(s)
 	checkIfEncryptionEnabled(s, buckets, &checks)
+	CheckIfBucketInOneZone(s, buckets, &checks)
 	return checks
 }